{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3585", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-05T06:16:21.181Z", "datePublished": "2026-03-10T03:33:51.369Z", "dateUpdated": "2026-04-08T17:09:33.116Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:33.116Z"}, "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.15.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "title": "The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92e404ab-fe2b-45b3-b8ff-672f7888b747?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.17/src/Tribe/Aggregator/Tabs/New.php#L466"}, {"url": "https://research.cleantalk.org/cve-2026-3585/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-03-05T06:32:14.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-09T14:40:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:58:02.895839Z", "id": "CVE-2026-3585", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:52:12.165Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3585", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:58:02.895839Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:58:04.006Z"}}], "cna": {"title": "The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.15.17"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-05T06:32:14.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-09T14:40:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92e404ab-fe2b-45b3-b8ff-672f7888b747?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.17/src/Tribe/Aggregator/Tabs/New.php#L466"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-10T03:33:51.369Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3585", "state": "PUBLISHED", "dateUpdated": "2026-03-10T16:52:12.165Z", "dateReserved": "2026-03-05T06:16:21.181Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-10T03:33:51.369Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}, {"lang": "es", "value": "El plugin The Events Calendar para WordPress es vulnerable a salto de ruta en todas las versiones hasta la 6.15.17, inclusive, a trav\u00e9s de la funci\u00f3n ajax_create_import. Esto permite a atacantes autenticados, con acceso de nivel Autor o superior, leer el contenido de archivos arbitrarios en el servidor, que pueden contener informaci\u00f3n sensible."}], "id": "CVE-2026-3585", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-10T17:40:37.773", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.17/src/Tribe/Aggregator/Tabs/New.php#L466"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2026-3585/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92e404ab-fe2b-45b3-b8ff-672f7888b747?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.15.17]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "The Events Calendar", "source": "cna", "vendor": "stellarwp"}, "product": "the_events_calendar", "vendor": "stellarwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:43:50.329536+00:00", "value": {"mitigation_remediation": ["Upgrade The Events Calendar to version\u00a06.15.18 or later.", "Revoke Author\u2011level permissions from users who do not need them and assign the lowest effective role.", "Reconfigure the site or server to restrict access to the ajax_create_import endpoint, for example by limiting it to administrators only or by blocking the endpoint through a security plugin or server rule."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin The Events Calendar. All releases up to and including version\u00a06.15.17 are vulnerable. The flaw exists in the code handling the AJAX import feature that is used by site administrators and authors to import events from external sources.", "description_and_impact": "The vulnerability is a path traversal flaw in the ajax_create_import function of The Events Calendar plugin. It allows an authenticated user with Author\u2011level or higher privileges to craft a request that reads the contents of any file on the server. This can expose sensitive configuration, credentials, or other confidential data and represents a significant compromise of data confidentiality.", "risk_and_exploitability": "The CVSS base score of 7.5 classifies the issue as high severity, indicating that once exploited, an attacker gains non\u2011privileged read access to arbitrary files. The EPSS score of less than\u00a01% suggests that, as of the latest analysis, exploitation is unlikely to be widespread, and the flaw is not listed in the CISA KEV catalog. Nevertheless, because the flaw requires only an Author\u2011level account, which is common on many sites, the attack state is realistic for any site that allows authors to use the import feature. Successful exploitation would provide the attacker with data that could be used for further compromise or exploitation of other services running on the same server."}}}}, "created": "2026-03-10T14:06:03.746464+00:00", "updated": "2026-04-15T17:45:10.770563+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$the_events_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}